This invention relates to the field of information systems, and more specifically to enterprise information security.
Organizations and enterprises are essentially a collection of assets. An asset is anything that has value to an organization. Assets can range from data files to physical assets. Assets may also include intangibles such as an organization's reputation and the skill sets of its workforce.
These assets include a great deal of information. In many cases, the information is confidential. The information may concern employees, customers, products, research, and financial status. The information may be stored on a variety of media including, for example, disk drives, floppy disks, magnetic disks, optical disks, magneto-optical disks, fixed disks, hard disks, CD-ROMs, recordable CDs, DVDs, recordable DVDs (e.g., hard drives, magnetic disks. The information may also be recorded on paper and stored, for example, binders, folders, and file cabinets.
Protecting such information by ensuring its confidentiality, integrity, and availability is critical to an organization. Security breaches could allow new product lines to fall into the hands of competitors, lost business, law suits, identity theft, and even bankruptcy of the organization.
In many cases, protecting information is not only a business and ethical requirement, but it is also a legal requirement. Regulatory compliance is an important legal responsibility for many organizations. For example, the Sarbanes-Oxley Act (SOX) requires corporate officers to demonstrate the existence of various operational controls. Standard setting bodies such as the International Organization for Standardization (ISO) have extensive policies and procedures to help ensure, for example, regulatory compliance and the safeguard of assets and information.
Managing, securing, and monitoring an organization's assets and ensuring that the organization's policies and procedures comply with regulations can be daunting task. It requires, for example, developing an inventory of assets, defining responsible parties, establishing acceptable use polices, classifying and labeling information, and much more. This can be a very difficult and expensive process.
Therefore, there is a need for an improved system and method of enterprise information security.